Play interactive tour

Edit tour

Analysis Report 9644a199_by_Libranalysis

Overview

General Information

Sample Name:	9644a199_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:	399523
MD5:	9644a199c0d74c2f223b042b93899333
SHA1:	00a0778246cd4e4df046ea7c3ccdb5d04f056a19
SHA256:	0b10841226c0d6fb59f308c09309e79d214ca6799ac162c1addd5455d7ef3fd7
Tags:	AgentTesla
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM3

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Moves itself to temp directory

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

9644a199_by_Libranalysis.exe (PID: 5876 cmdline: 'C:\Users\user\Desktop\9644a199_by_Libranalysis.exe' MD5: 9644A199C0D74C2F223B042B93899333)

schtasks.exe (PID: 5364 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lklQGPQqWZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp78E2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

9644a199_by_Libranalysis.exe (PID: 6184 cmdline: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe MD5: 9644A199C0D74C2F223B042B93899333)

9644a199_by_Libranalysis.exe (PID: 6192 cmdline: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe MD5: 9644A199C0D74C2F223B042B93899333)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "peter.terkper@gh-wilmar-intl.comqwert2829@email.gous2.smtp.mailhostbox.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.484600154.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.254296394.00000000033D9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 9644a199_by_Libranalysis.exe PID: 6192	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 9644a199_by_Libranalysis.exe PID: 6192	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 9644a199_by_Libranalysis.exe PID: 5876	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 9644a199_by_Libranalysis.exe PID: 5876	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.9644a199_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.9644a199_by_Libranalysis.exe.3478240.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.9644a199_by_Libranalysis.exe.3478240.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lklQGPQqWZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp78E2.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lklQGPQqWZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp78E2.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\9644a199_by_Libranalysis.exe' , ParentImage: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe, ParentProcessId: 5876, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lklQGPQqWZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp78E2.tmp', ProcessId: 5364

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 6.2.9644a199_by_Libranalysis.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "peter.terkper@gh-wilmar-intl.comqwert2829@email.gous2.smtp.mailhostbox.com"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\lklQGPQqWZ.exe

ReversingLabs: Detection: 25%

Multi AV Scanner detection for submitted file

Show sources

Source: 9644a199_by_Libranalysis.exe

ReversingLabs: Detection: 25%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\lklQGPQqWZ.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: 9644a199_by_Libranalysis.exe

Joe Sandbox ML: detected

Source: 6.2.9644a199_by_Libranalysis.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 9644a199_by_Libranalysis.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 9644a199_by_Libranalysis.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		1_2_070ADA78
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		1_2_070ADD90

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49738 -> 208.91.199.225:587

Source: global traffic

TCP traffic: 192.168.2.3:49738 -> 208.91.199.225:587

Source: Joe Sandbox View

IP Address: 208.91.199.225 208.91.199.225

Source: global traffic

TCP traffic: 192.168.2.3:49738 -> 208.91.199.225:587

Source: unknown

DNS traffic detected: queries for: us2.smtp.mailhostbox.com

Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp	String found in binary or memory: http://SSIeJj.com
Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.219365504.0000000005425000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249393872.00000000023D1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.492162365.00000000030AC000.00000004.00000001.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: 9644a199_by_Libranalysis.exe	String found in binary or memory: http://web.archive.org/web/20150218144800/http://faculty.darden.virginia.edu/conroyb/derivatives/Bin
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.227116873.0000000005455000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.226832646.0000000005455000.00000004.00000001.sdmp, 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256390682.0000000005420000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comceta
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.219513718.000000000543B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comQ
Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.221800913.0000000005426000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.221414928.0000000005427000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn$8
Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.221414928.0000000005427000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn.8
Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.221800913.0000000005426000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.221800913.0000000005426000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnV
Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.221186396.000000000542E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnd
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp, 9644a199_by_Libranalysis.exe, 00000001.00000003.230877212.0000000005439000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.229851180.0000000005428000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.w5
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp, 9644a199_by_Libranalysis.exe, 00000001.00000003.218984783.0000000005423000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: 9644a199_by_Libranalysis.exe	String found in binary or memory: https://github.com/gh28942
Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp	String found in binary or memory: https://pszp7LGnmpscRH9.o
Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp	String found in binary or memory: https://pszp7LGnmpscRH9.org
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.254296394.00000000033D9000.00000004.00000001.sdmp, 9644a199_by_Libranalysis.exe, 00000006.00000002.484600154.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_00B0C2B0	1_2_00B0C2B0
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_00B09998	1_2_00B09998
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070AA680	1_2_070AA680
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070AA018	1_2_070AA018
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070ACC78	1_2_070ACC78
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070A9920	1_2_070A9920
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070A577F	1_2_070A577F
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070A5790	1_2_070A5790
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070A0678	1_2_070A0678
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070A0688	1_2_070A0688
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070AE590	1_2_070AE590
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070A4388	1_2_070A4388
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070A026A	1_2_070A026A
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070A0278	1_2_070A0278
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070A52B8	1_2_070A52B8
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070A52C8	1_2_070A52C8
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070A1185	1_2_070A1185
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070A1198	1_2_070A1198
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070A0040	1_2_070A0040
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070A6078	1_2_070A6078
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070A60C8	1_2_070A60C8
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_070A498D	1_2_070A498D
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 6_2_00BC5EA0	6_2_00BC5EA0
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 6_2_00BCC1B8	6_2_00BCC1B8
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 6_2_00BC7130	6_2_00BC7130
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 6_2_014246A0	6_2_014246A0
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 6_2_014245B0	6_2_014245B0
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 6_2_0142DA00	6_2_0142DA00
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 6_2_06016C70	6_2_06016C70
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 6_2_060194F8	6_2_060194F8
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 6_2_06017540	6_2_06017540
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 6_2_06016928	6_2_06016928

Source: 9644a199_by_Libranalysis.exe	Binary or memory string: OriginalFilename vs 9644a199_by_Libranalysis.exe
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.260145490.0000000006FD0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs 9644a199_by_Libranalysis.exe
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs 9644a199_by_Libranalysis.exe
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.245884260.00000000000A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWeakReference.exeJ vs 9644a199_by_Libranalysis.exe
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249393872.00000000023D1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameVBfgoJBIDAvgwQVPyHeYxZlKqgNIVZusxmAYQv.exe4 vs 9644a199_by_Libranalysis.exe
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.262232027.000000000CFA0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 9644a199_by_Libranalysis.exe
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.262232027.000000000CFA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 9644a199_by_Libranalysis.exe
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.259159909.0000000006550000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs 9644a199_by_Libranalysis.exe
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.261360003.000000000CEA0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 9644a199_by_Libranalysis.exe
Source: 9644a199_by_Libranalysis.exe	Binary or memory string: OriginalFilename vs 9644a199_by_Libranalysis.exe
Source: 9644a199_by_Libranalysis.exe, 00000005.00000002.243799710.0000000000152000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWeakReference.exeJ vs 9644a199_by_Libranalysis.exe
Source: 9644a199_by_Libranalysis.exe	Binary or memory string: OriginalFilename vs 9644a199_by_Libranalysis.exe
Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.497643580.0000000006660000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs 9644a199_by_Libranalysis.exe
Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.484600154.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameVBfgoJBIDAvgwQVPyHeYxZlKqgNIVZusxmAYQv.exe4 vs 9644a199_by_Libranalysis.exe
Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.485268572.0000000000A42000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWeakReference.exeJ vs 9644a199_by_Libranalysis.exe
Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.486087626.0000000000EF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 9644a199_by_Libranalysis.exe
Source: 9644a199_by_Libranalysis.exe	Binary or memory string: OriginalFilenameWeakReference.exeJ vs 9644a199_by_Libranalysis.exe

Source: 9644a199_by_Libranalysis.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 9644a199_by_Libranalysis.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: lklQGPQqWZ.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/4@1/1

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

File created: C:\Users\user\AppData\Roaming\lklQGPQqWZ.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_01

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

File created: C:\Users\user\AppData\Local\Temp\tmp78E2.tmp

Jump to behavior

Source: 9644a199_by_Libranalysis.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: 9644a199_by_Libranalysis.exe

ReversingLabs: Detection: 25%

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

File read: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe 'C:\Users\user\Desktop\9644a199_by_Libranalysis.exe'
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lklQGPQqWZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp78E2.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe C:\Users\user\Desktop\9644a199_by_Libranalysis.exe
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe C:\Users\user\Desktop\9644a199_by_Libranalysis.exe
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lklQGPQqWZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp78E2.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Jump to behavior

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 9644a199_by_Libranalysis.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 9644a199_by_Libranalysis.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_000A52AF push es; iretd	1_2_000A52C8
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_000A527F push es; iretd	1_2_000A52C8
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 1_2_000AB93F push edi; ret	1_2_000AB940
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 5_2_0015527F push es; iretd	5_2_001552C8
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 5_2_0015B93F push edi; ret	5_2_0015B940
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 5_2_001552AF push es; iretd	5_2_001552C8
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 6_2_00A452AF push es; iretd	6_2_00A452C8
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 6_2_00A4527F push es; iretd	6_2_00A452C8
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 6_2_00A4B93F push edi; ret	6_2_00A4B940
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Code function: 6_2_0601EE8A push esp; ret	6_2_0601EED1

Source: initial sample	Static PE information: section name: .text entropy: 7.81806704366
Source: initial sample	Static PE information: section name: .text entropy: 7.81806704366

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

File created: C:\Users\user\AppData\Roaming\lklQGPQqWZ.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lklQGPQqWZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp78E2.tmp'

Hooking and other Techniques for Hiding and Protection:

Moves itself to temp directory

Show sources

Source: c:\users\user\desktop\9644a199_by_libranalysis.exe

File moved: C:\Users\user\AppData\Local\Temp\tmpG256.tmp

Jump to behavior

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9644a199_by_Libranalysis.exe PID: 5876, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Window / User API: threadDelayed 6575			Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Window / User API: threadDelayed 3227			Jump to behavior

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe TID: 5900	Thread sleep time: -102920s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe TID: 6124	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe TID: 6696	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe TID: 6716	Thread sleep count: 6575 > 30	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe TID: 6716	Thread sleep count: 3227 > 30	Jump to behavior

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Thread delayed: delay time: 102920	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.489219382.0000000001294000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

Code function: 6_2_0601CF68 GetMonitorInfoW,LdrInitializeThunk,KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,

6_2_0601CF68

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

Memory written: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lklQGPQqWZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp78E2.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Jump to behavior

Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.489852785.0000000001820000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.489852785.0000000001820000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.489852785.0000000001820000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.489852785.0000000001820000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

Code function: 6_2_06015A94 GetUserNameW,

6_2_06015A94

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.484600154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.254296394.00000000033D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9644a199_by_Libranalysis.exe PID: 6192, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9644a199_by_Libranalysis.exe PID: 5876, type: MEMORY
Source: Yara match	File source: 6.2.9644a199_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9644a199_by_Libranalysis.exe.3478240.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9644a199_by_Libranalysis.exe.3478240.4.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9644a199_by_Libranalysis.exe PID: 6192, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.484600154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.254296394.00000000033D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9644a199_by_Libranalysis.exe PID: 6192, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9644a199_by_Libranalysis.exe PID: 5876, type: MEMORY
Source: Yara match	File source: 6.2.9644a199_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9644a199_by_Libranalysis.exe.3478240.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9644a199_by_Libranalysis.exe.3478240.4.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Scheduled Task/Job1	Process Injection112	Disable or Modify Tools1	OS Credential Dumping2	Account Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Obfuscated Files or Information3	Credentials in Registry1	File and Directory Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing3	Security Account Manager	System Information Discovery114	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Masquerading11	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion141	LSA Secrets	Security Software Discovery321	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection112	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Virtualization/Sandbox Evasion141	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
9644a199_by_Libranalysis.exe	26%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
9644a199_by_Libranalysis.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\lklQGPQqWZ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\lklQGPQqWZ.exe	26%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.2.9644a199_by_Libranalysis.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cnV	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.comceta	0%	Avira URL Cloud	safe
https://pszp7LGnmpscRH9.o	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
https://pszp7LGnmpscRH9.org	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn$8	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://SSIeJj.com	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://www.monotype.w5	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnd	0%	URL Reputation	safe
http://www.founder.com.cn/cnd	0%	URL Reputation	safe
http://www.founder.com.cn/cnd	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.fonts.comQ	0%	Avira URL Cloud	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
https://api.ipify.org%$	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn.8	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.225	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://us2.smtp.mailhostbox.com	9644a199_by_Libranalysis.exe, 00000006.00000002.492162365.00000000030AC000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cnV	9644a199_by_Libranalysis.exe, 00000001.00000003.221800913.0000000005426000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false		high
http://www.tiro.com	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comceta	9644a199_by_Libranalysis.exe, 00000001.00000002.256390682.0000000005420000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://pszp7LGnmpscRH9.o	9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.com	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp, 9644a199_by_Libranalysis.exe, 00000001.00000003.218984783.0000000005423000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pszp7LGnmpscRH9.org	9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/cThe	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp, 9644a199_by_Libranalysis.exe, 00000001.00000003.230877212.0000000005439000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn$8	9644a199_by_Libranalysis.exe, 00000001.00000003.221414928.0000000005427000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%GETMozilla/5.0	9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/gh28942	9644a199_by_Libranalysis.exe	false		high
http://SSIeJj.com	9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	9644a199_by_Libranalysis.exe, 00000001.00000002.249393872.00000000023D1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	9644a199_by_Libranalysis.exe, 00000001.00000002.254296394.00000000033D9000.00000004.00000001.sdmp, 9644a199_by_Libranalysis.exe, 00000006.00000002.484600154.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.monotype.w5	9644a199_by_Libranalysis.exe, 00000001.00000003.229851180.0000000005428000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnd	9644a199_by_Libranalysis.exe, 00000001.00000003.221186396.000000000542E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false		high
http://DynDns.comDynDNS	9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.comQ	9644a199_by_Libranalysis.exe, 00000001.00000003.219513718.000000000543B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://en.w	9644a199_by_Libranalysis.exe, 00000001.00000003.219365504.0000000005425000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%$	9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.coml	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	9644a199_by_Libranalysis.exe, 00000001.00000003.221800913.0000000005426000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn.8	9644a199_by_Libranalysis.exe, 00000001.00000003.221414928.0000000005427000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	9644a199_by_Libranalysis.exe, 00000001.00000003.221800913.0000000005426000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	9644a199_by_Libranalysis.exe, 00000001.00000003.226832646.0000000005455000.00000004.00000001.sdmp, 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.html	9644a199_by_Libranalysis.exe, 00000001.00000003.227116873.0000000005455000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp	false		high
http://web.archive.org/web/20150218144800/http://faculty.darden.virginia.edu/conroyb/derivatives/Bin	9644a199_by_Libranalysis.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.91.199.225	us2.smtp.mailhostbox.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	399523
Start date:	28.04.2021
Start time:	21:30:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	9644a199_by_Libranalysis (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/4@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 94% Number of executed functions: 67 Number of non-executed functions: 18
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 20.50.102.62, 204.79.197.200, 13.107.21.200, 2.20.157.220, 52.255.188.83, 13.64.90.137, 23.57.80.111, 13.88.21.125, 20.82.210.154, 2.20.142.210, 2.20.142.209, 92.122.213.194, 92.122.213.247, 20.82.209.183, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/399523/sample/9644a199_by_Libranalysis.exe

Simulations

Behavior and APIs

Time	Type	Description
21:31:40	API Interceptor	663x Sleep call for process: 9644a199_by_Libranalysis.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
208.91.199.225	NEW ENQUIRY 200283.exe	Get hash	malicious	Browse
	Doc_26042021SC.exe	Get hash	malicious	Browse
	RApK2RmjFR.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Scr.Malcodegdn30.25084.exe	Get hash	malicious	Browse
	RFQ-04-23-2021.exe	Get hash	malicious	Browse
	Orden de compra 1910003976.doc	Get hash	malicious	Browse
	v6szzBPTTC.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Troj.Kryptik-VJ.15120.exe	Get hash	malicious	Browse
	Po__20210421.exe	Get hash	malicious	Browse
	PBzHyvJUl.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	35,276.70 SWIFT.xlsx	Get hash	malicious	Browse
	4600004505.exe	Get hash	malicious	Browse
	Payment slip.exe	Get hash	malicious	Browse
	PI#001890576.exe	Get hash	malicious	Browse
	NEW SUPPLIER FORM.exe	Get hash	malicious	Browse
	specification.xlsx	Get hash	malicious	Browse
	DHL_Invoice.gz.exe	Get hash	malicious	Browse
	PO#33S2-202105BsNR.exe	Get hash	malicious	Browse
	EZ0496 PAYMENT.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
us2.smtp.mailhostbox.com	NEW ORDER.exe	Get hash	malicious	Browse	208.91.199.224
	0bMDP1V3eX.exe	Get hash	malicious	Browse	208.91.199.223
	Ha11NppGrb.exe	Get hash	malicious	Browse	208.91.198.143
	SecuriteInfo.com.Trojan.PackedNET.686.5407.exe	Get hash	malicious	Browse	208.91.199.224
	NEW ENQUIRY 200283.exe	Get hash	malicious	Browse	208.91.199.225
	TT Copy pdf.exe	Get hash	malicious	Browse	208.91.199.223
	Signed Contract.doc	Get hash	malicious	Browse	208.91.198.143
	moni man.exe	Get hash	malicious	Browse	208.91.198.143
	Order Items.exe	Get hash	malicious	Browse	208.91.198.143
	1Nggo6oJzH.exe	Get hash	malicious	Browse	208.91.199.223
	SecuriteInfo.com.Trojan.Win32.Save.a.25790.exe	Get hash	malicious	Browse	208.91.199.224
	Order specs No12..exe	Get hash	malicious	Browse	208.91.198.143
	948995fb_by_Libranalysis.exe	Get hash	malicious	Browse	208.91.198.143
	PURCHASE ORDER #_Refno.191938.exe	Get hash	malicious	Browse	208.91.199.223
	hh$$$.exe	Get hash	malicious	Browse	208.91.199.224
	SecuriteInfo.com.Malware.AI.1537019893.642.exe	Get hash	malicious	Browse	208.91.199.223
	Doc_26042021SC.exe	Get hash	malicious	Browse	208.91.199.225
	RApK2RmjFR.exe	Get hash	malicious	Browse	208.91.199.224
	Hoja_datos_RFQ_pdf.exe	Get hash	malicious	Browse	208.91.198.143
	REQUEST FOR QUOTATION.pdf.exe	Get hash	malicious	Browse	208.91.199.223

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	NEW ORDER.exe	Get hash	malicious	Browse	208.91.199.224
	0bMDP1V3eX.exe	Get hash	malicious	Browse	208.91.199.223
	SecuriteInfo.com.Trojan.PackedNET.686.5407.exe	Get hash	malicious	Browse	208.91.199.224
	NEW ENQUIRY 200283.exe	Get hash	malicious	Browse	208.91.199.223
	TT Copy pdf.exe	Get hash	malicious	Browse	208.91.199.223
	Signed Contract.doc	Get hash	malicious	Browse	208.91.199.223
	moni man.exe	Get hash	malicious	Browse	208.91.198.143
	Order Items.exe	Get hash	malicious	Browse	208.91.199.224
	1Nggo6oJzH.exe	Get hash	malicious	Browse	208.91.199.223
	SecuriteInfo.com.Trojan.Win32.Save.a.25790.exe	Get hash	malicious	Browse	208.91.199.224
	Order specs No12..exe	Get hash	malicious	Browse	208.91.199.223
	diagram-32303288.xlsm	Get hash	malicious	Browse	5.100.155.169
	go9RLqIQ05.exe	Get hash	malicious	Browse	162.215.241.145
	diagram-32303288.xlsm	Get hash	malicious	Browse	5.100.155.169
	diagram-1381837747.xlsm	Get hash	malicious	Browse	5.100.155.169
	diagram-1381837747.xlsm	Get hash	malicious	Browse	5.100.155.169
	948995fb_by_Libranalysis.exe	Get hash	malicious	Browse	208.91.198.143
	QUOTE.doc	Get hash	malicious	Browse	162.215.241.145
	catalog-1682418755.xlsm	Get hash	malicious	Browse	208.91.199.122
	catalog-1682418755.xlsm	Get hash	malicious	Browse	208.91.199.122

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9644a199_by_Libranalysis.exe.log Download File
Process:	C:\Users\user\Desktop\9644a199_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp78E2.tmp Download File
Process:	C:\Users\user\Desktop\9644a199_by_Libranalysis.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1643
Entropy (8bit):	5.200360039981224
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBptn:cbh47TlNQ//rydbz9I3YODOLNdq3N
MD5:	C21555FA32A10E0F16FCE9A88101F340
SHA1:	4B111D5CFEE30596531CB0C01B35F961E041192D
SHA-256:	501F4F90697CC2403DE318CC319B863BC30D57DDB3EC393B431515F21ABA8DFD
SHA-512:	4EB559F450BAE9A977637B8E3663414362E4A7857DB5F8FA9DB2DC8888EA9690B049754901E1B9C6966D1347D4F52B614EAA37A2451EE5D7631D33A8CFD4335C
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\lklQGPQqWZ.exe Download File
Process:	C:\Users\user\Desktop\9644a199_by_Libranalysis.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	568320
Entropy (8bit):	7.804860082772334
Encrypted:	false
SSDEEP:	12288:MGJdCTsSv66GiBR2BGKFivWvNvFvklc1Kl/h3xBNbGNdYn/mw:XCQSXV2BoaNvFvklL/7B98dTw
MD5:	9644A199C0D74C2F223B042B93899333
SHA1:	00A0778246CD4E4DF046EA7C3CCDB5D04F056A19
SHA-256:	0B10841226C0D6FB59F308C09309E79D214CA6799AC162C1ADDD5455D7EF3FD7
SHA-512:	8AC5DFEC96292878ABAF993A939ED14D7CE3F0B9A247DCAD270FBE9649BB083EF46A6DB644286FB8016A0BDE077D6F2247D874BB3A17280144C060F952CCE020
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...19.`................................. ........@.. ....................................@.................................P...K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................\...p'...........................................0............(....(..........(.....o..........................(.......(.......(.......(.......(......N..(....o....(.....N..(....o....(.....&..(........s.........s.........s.........s.........s..........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+..*.0.................,.........o....+....9....~.........,2~...

C:\Users\user\AppData\Roaming\lklQGPQqWZ.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\9644a199_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.804860082772334
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	9644a199_by_Libranalysis.exe
File size:	568320
MD5:	9644a199c0d74c2f223b042b93899333
SHA1:	00a0778246cd4e4df046ea7c3ccdb5d04f056a19
SHA256:	0b10841226c0d6fb59f308c09309e79d214ca6799ac162c1addd5455d7ef3fd7
SHA512:	8ac5dfec96292878abaf993a939ed14d7ce3f0b9a247dcad270fbe9649bb083ef46a6db644286fb8016a0bde077d6f2247d874bb3a17280144c060f952cce020
SSDEEP:	12288:MGJdCTsSv66GiBR2BGKFivWvNvFvklc1Kl/h3xBNbGNdYn/mw:XCQSXV2BoaNvFvklL/7B98dTw
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...19.`................................. ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x48b49e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60893931 [Wed Apr 28 10:30:09 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8b450	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8c000	0x1200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x894a4	0x89600	False	0.883820163217	data	7.81806704366	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x8c000	0x1200	0x1200	False	0.379557291667	data	4.91511269916	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8e000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x8c090	0x340	data
RT_MANIFEST	0x8c3e0	0xd25	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	GerH
Assembly Version	1.0.0.0
InternalName	WeakReference.exe
FileVersion	1.0.0.0
CompanyName	GerH
LegalTrademarks
Comments
ProductName	Optionen auf Futures
ProductVersion	1.0.0.0
FileDescription	OptionenFutures
OriginalFilename	WeakReference.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/28/21-21:33:30.289537	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49738	587	192.168.2.3	208.91.199.225

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 28, 2021 21:33:27.700309038 CEST	49738	587	192.168.2.3	208.91.199.225
Apr 28, 2021 21:33:27.865279913 CEST	587	49738	208.91.199.225	192.168.2.3
Apr 28, 2021 21:33:27.865447998 CEST	49738	587	192.168.2.3	208.91.199.225
Apr 28, 2021 21:33:28.192739964 CEST	587	49738	208.91.199.225	192.168.2.3
Apr 28, 2021 21:33:28.193044901 CEST	49738	587	192.168.2.3	208.91.199.225
Apr 28, 2021 21:33:28.358081102 CEST	587	49738	208.91.199.225	192.168.2.3
Apr 28, 2021 21:33:28.358109951 CEST	587	49738	208.91.199.225	192.168.2.3
Apr 28, 2021 21:33:28.405159950 CEST	49738	587	192.168.2.3	208.91.199.225
Apr 28, 2021 21:33:29.060508013 CEST	49738	587	192.168.2.3	208.91.199.225
Apr 28, 2021 21:33:29.226421118 CEST	587	49738	208.91.199.225	192.168.2.3
Apr 28, 2021 21:33:29.374000072 CEST	49738	587	192.168.2.3	208.91.199.225
Apr 28, 2021 21:33:29.591983080 CEST	49738	587	192.168.2.3	208.91.199.225
Apr 28, 2021 21:33:29.759124994 CEST	587	49738	208.91.199.225	192.168.2.3
Apr 28, 2021 21:33:29.760137081 CEST	49738	587	192.168.2.3	208.91.199.225
Apr 28, 2021 21:33:29.926160097 CEST	587	49738	208.91.199.225	192.168.2.3
Apr 28, 2021 21:33:29.926482916 CEST	49738	587	192.168.2.3	208.91.199.225
Apr 28, 2021 21:33:30.119821072 CEST	587	49738	208.91.199.225	192.168.2.3
Apr 28, 2021 21:33:30.120089054 CEST	49738	587	192.168.2.3	208.91.199.225
Apr 28, 2021 21:33:30.285300970 CEST	587	49738	208.91.199.225	192.168.2.3
Apr 28, 2021 21:33:30.289536953 CEST	49738	587	192.168.2.3	208.91.199.225
Apr 28, 2021 21:33:30.289711952 CEST	49738	587	192.168.2.3	208.91.199.225
Apr 28, 2021 21:33:30.289810896 CEST	49738	587	192.168.2.3	208.91.199.225
Apr 28, 2021 21:33:30.289912939 CEST	49738	587	192.168.2.3	208.91.199.225
Apr 28, 2021 21:33:30.454457998 CEST	587	49738	208.91.199.225	192.168.2.3
Apr 28, 2021 21:33:30.454518080 CEST	587	49738	208.91.199.225	192.168.2.3
Apr 28, 2021 21:33:30.553982019 CEST	587	49738	208.91.199.225	192.168.2.3
Apr 28, 2021 21:33:30.764714003 CEST	49738	587	192.168.2.3	208.91.199.225

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 28, 2021 21:31:27.818156958 CEST	60985	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:31:27.869781017 CEST	53	60985	8.8.8.8	192.168.2.3
Apr 28, 2021 21:31:34.713910103 CEST	50200	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:31:34.789165974 CEST	53	50200	8.8.8.8	192.168.2.3
Apr 28, 2021 21:31:39.853684902 CEST	51281	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:31:39.912303925 CEST	53	51281	8.8.8.8	192.168.2.3
Apr 28, 2021 21:31:43.571888924 CEST	49199	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:31:43.623595953 CEST	53	49199	8.8.8.8	192.168.2.3
Apr 28, 2021 21:31:45.084887028 CEST	50620	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:31:45.133896112 CEST	53	50620	8.8.8.8	192.168.2.3
Apr 28, 2021 21:31:46.693641901 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:31:46.745462894 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 28, 2021 21:31:48.887578964 CEST	60152	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:31:48.937891960 CEST	53	60152	8.8.8.8	192.168.2.3
Apr 28, 2021 21:31:49.696293116 CEST	57544	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:31:49.745173931 CEST	53	57544	8.8.8.8	192.168.2.3
Apr 28, 2021 21:31:51.562464952 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:31:51.611375093 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 28, 2021 21:31:52.431653976 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:31:52.483267069 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 28, 2021 21:31:53.899291039 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:31:53.959687948 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 28, 2021 21:31:53.972791910 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:31:54.021486044 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 28, 2021 21:31:55.240319967 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:31:55.293602943 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 28, 2021 21:31:56.552475929 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:31:56.601174116 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 28, 2021 21:31:57.568981886 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:31:57.622669935 CEST	53	60100	8.8.8.8	192.168.2.3
Apr 28, 2021 21:31:58.433052063 CEST	53195	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:31:58.482048988 CEST	53	53195	8.8.8.8	192.168.2.3
Apr 28, 2021 21:31:59.816314936 CEST	50141	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:31:59.877562046 CEST	53	50141	8.8.8.8	192.168.2.3
Apr 28, 2021 21:32:00.958085060 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:32:01.006989956 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 28, 2021 21:32:02.351763964 CEST	49563	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:32:02.403670073 CEST	53	49563	8.8.8.8	192.168.2.3
Apr 28, 2021 21:32:04.180437088 CEST	51352	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:32:04.232793093 CEST	53	51352	8.8.8.8	192.168.2.3
Apr 28, 2021 21:32:07.208262920 CEST	59349	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:32:07.259110928 CEST	53	59349	8.8.8.8	192.168.2.3
Apr 28, 2021 21:32:08.365362883 CEST	57084	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:32:08.423569918 CEST	53	57084	8.8.8.8	192.168.2.3
Apr 28, 2021 21:32:09.201015949 CEST	58823	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:32:09.254167080 CEST	53	58823	8.8.8.8	192.168.2.3
Apr 28, 2021 21:32:12.025702000 CEST	57568	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:32:12.083344936 CEST	53	57568	8.8.8.8	192.168.2.3
Apr 28, 2021 21:32:17.031379938 CEST	50540	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:32:17.091094971 CEST	53	50540	8.8.8.8	192.168.2.3
Apr 28, 2021 21:32:28.157236099 CEST	54366	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:32:28.223104000 CEST	53	54366	8.8.8.8	192.168.2.3
Apr 28, 2021 21:32:59.565673113 CEST	53034	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:32:59.617278099 CEST	53	53034	8.8.8.8	192.168.2.3
Apr 28, 2021 21:33:04.828500986 CEST	57762	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:33:04.890506983 CEST	53	57762	8.8.8.8	192.168.2.3
Apr 28, 2021 21:33:27.253715038 CEST	55435	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:33:27.316633940 CEST	53	55435	8.8.8.8	192.168.2.3
Apr 28, 2021 21:33:29.997730017 CEST	50713	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:33:30.062887907 CEST	53	50713	8.8.8.8	192.168.2.3
Apr 28, 2021 21:33:35.934504032 CEST	56132	53	192.168.2.3	8.8.8.8
Apr 28, 2021 21:33:35.986171007 CEST	53	56132	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 28, 2021 21:33:27.253715038 CEST	192.168.2.3	8.8.8.8	0xec7	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Apr 28, 2021 21:33:27.316633940 CEST	8.8.8.8	192.168.2.3	0xec7	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)
Apr 28, 2021 21:33:27.316633940 CEST	8.8.8.8	192.168.2.3	0xec7	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)
Apr 28, 2021 21:33:27.316633940 CEST	8.8.8.8	192.168.2.3	0xec7	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)
Apr 28, 2021 21:33:27.316633940 CEST	8.8.8.8	192.168.2.3	0xec7	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 28, 2021 21:33:28.192739964 CEST	587	49738	208.91.199.225	192.168.2.3	220 us2.outbound.mailhostbox.com ESMTP Postfix
Apr 28, 2021 21:33:28.193044901 CEST	49738	587	192.168.2.3	208.91.199.225	EHLO 899552
Apr 28, 2021 21:33:28.358109951 CEST	587	49738	208.91.199.225	192.168.2.3	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Apr 28, 2021 21:33:29.060508013 CEST	49738	587	192.168.2.3	208.91.199.225	AUTH login cGV0ZXIudGVya3BlckBnaC13aWxtYXItaW50bC5jb20=
Apr 28, 2021 21:33:29.226421118 CEST	587	49738	208.91.199.225	192.168.2.3	334 UGFzc3dvcmQ6
Apr 28, 2021 21:33:29.759124994 CEST	587	49738	208.91.199.225	192.168.2.3	235 2.7.0 Authentication successful
Apr 28, 2021 21:33:29.760137081 CEST	49738	587	192.168.2.3	208.91.199.225	MAIL FROM:<peter.terkper@gh-wilmar-intl.com>
Apr 28, 2021 21:33:29.926160097 CEST	587	49738	208.91.199.225	192.168.2.3	250 2.1.0 Ok
Apr 28, 2021 21:33:29.926482916 CEST	49738	587	192.168.2.3	208.91.199.225	RCPT TO:<peter.terkper@gh-wilmar-intl.com>
Apr 28, 2021 21:33:30.119821072 CEST	587	49738	208.91.199.225	192.168.2.3	250 2.1.5 Ok
Apr 28, 2021 21:33:30.120089054 CEST	49738	587	192.168.2.3	208.91.199.225	DATA
Apr 28, 2021 21:33:30.285300970 CEST	587	49738	208.91.199.225	192.168.2.3	354 End data with <CR><LF>.<CR><LF>
Apr 28, 2021 21:33:30.289912939 CEST	49738	587	192.168.2.3	208.91.199.225	.
Apr 28, 2021 21:33:30.553982019 CEST	587	49738	208.91.199.225	192.168.2.3	250 2.0.0 Ok: queued as 0D78D7818CC

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 9644a199_by_Libranalysis.exe PID: 5876 Parent PID: 5744

General

Start time:	21:31:30
Start date:	28/04/2021
Path:	C:\Users\user\Desktop\9644a199_by_Libranalysis.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\9644a199_by_Libranalysis.exe'
Imagebase:	0xa0000
File size:	568320 bytes
MD5 hash:	9644A199C0D74C2F223B042B93899333
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.254296394.00000000033D9000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5364 Parent PID: 5876

General

Start time:	21:31:42
Start date:	28/04/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lklQGPQqWZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp78E2.tmp'
Imagebase:	0x190000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5352 Parent PID: 5364

General

Start time:	21:31:42
Start date:	28/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 9644a199_by_Libranalysis.exe PID: 6184 Parent PID: 5876

General

Start time:	21:31:43
Start date:	28/04/2021
Path:	C:\Users\user\Desktop\9644a199_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\9644a199_by_Libranalysis.exe
Imagebase:	0x150000
File size:	568320 bytes
MD5 hash:	9644A199C0D74C2F223B042B93899333
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: 9644a199_by_Libranalysis.exe PID: 6192 Parent PID: 5876

General

Start time:	21:31:43
Start date:	28/04/2021
Path:	C:\Users\user\Desktop\9644a199_by_Libranalysis.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\9644a199_by_Libranalysis.exe
Imagebase:	0xa40000
File size:	568320 bytes
MD5 hash:	9644A199C0D74C2F223B042B93899333
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.484600154.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 9644a199_by_Libranalysis.exe PID: 5876 Parent PID: 5744 9644a199_by_Libranalysis.exeCOMMON

Executed Functions

Function 070ADA78, Relevance: 2.8, Strings: 2, Instructions: 307COMMON

Download Yara Rule

Strings

lng, xrefs: 070ADD54
lng, xrefs: 070ADD2F

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID: lng$lng
API String ID: 0-2393080935
Opcode ID: 6c907a0fc522dcdd4bf10ae023eac30c0a7532bde330f078845db636cedcb950
Instruction ID: 2a6ff9d75aa3981d7217a164abd262ff9627e82bed0d4d6efa837467bb90f5d9
Opcode Fuzzy Hash: 6c907a0fc522dcdd4bf10ae023eac30c0a7532bde330f078845db636cedcb950
Instruction Fuzzy Hash: 01C19FB0B01215AFDB54DFA4C554BAEBBF2EF89304F2081A9E505AB7A5CB31DD01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 070A9920, Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

6+B, xrefs: 070A99A3

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID: 6+B
API String ID: 0-1549222668
Opcode ID: fcf01dac1903de50aaf810851788625b8d9e120047e1d8e71159ce6bc6423e19
Instruction ID: e7df4bbe926a60f668ba777b0a4b9952d3470c0e68b371b96727e7bdd1ff7db7
Opcode Fuzzy Hash: fcf01dac1903de50aaf810851788625b8d9e120047e1d8e71159ce6bc6423e19
Instruction Fuzzy Hash: 08415A74E25218ABDB08CFE9D9405DEFBB7FB8E300F14A52AD406B7254D734A901CB28

Uniqueness

Uniqueness Score: -1.00%

Function 070AA018, Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b152bc1d810f8b3a0d880fcab8b7dfa49c34c40793d60b72d7e5d2107e162c
Instruction ID: 13025033d4ad8be2b0e532051557392c48a093b655fec334331aea7015e53d72
Opcode Fuzzy Hash: e4b152bc1d810f8b3a0d880fcab8b7dfa49c34c40793d60b72d7e5d2107e162c
Instruction Fuzzy Hash: FBD129B4E15218AFDB44CFA5D941BDEFBB2FB89300F209129E505FB294D775A901CB24

Uniqueness

Uniqueness Score: -1.00%

Function 070ACC78, Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c695772d357a9d67225d04357eff15cc7f7da43f3f3f041d5844b63cf207b4
Instruction ID: a79a79fc5b9ddf64f5354be11024acba6cc9a69cab84f6bf67e5fd87d58cb491
Opcode Fuzzy Hash: 97c695772d357a9d67225d04357eff15cc7f7da43f3f3f041d5844b63cf207b4
Instruction Fuzzy Hash: 79B193B1A01215EFEB15DFA9C484A9EBBF5EF44310F178169E815AB3A1DB30ED41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 070AA680, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d06db0ba9b78e83de097ec35955a785140354626e6e3a9dcaec91592cfe7ccd
Instruction ID: a800f677abffbe74e4543e3f0d0e15e63f06fa62debac0a1e247f4cbb5eade30
Opcode Fuzzy Hash: 6d06db0ba9b78e83de097ec35955a785140354626e6e3a9dcaec91592cfe7ccd
Instruction Fuzzy Hash: 0E81E5B4E00248DFDB58DFE5D8445AEBBB2FF89300F20952AE916AB394DB746905CF50

Uniqueness

Uniqueness Score: -1.00%

Function 070ADD90, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14312fda6c70d9d9761172975c38125a1b8e7b39198ab329081fec9423a21906
Instruction ID: b8cfa43b206ec0a1599832185d8ae8793b663a36166bf8326e444bef7cc9da2a
Opcode Fuzzy Hash: 14312fda6c70d9d9761172975c38125a1b8e7b39198ab329081fec9423a21906
Instruction Fuzzy Hash: A61139B0E042599BDB14DFA4C418BFDBBF1AB4A315F145269D411B7294CB788984CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00B0BBC8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 195COMMON

Download Yara Rule

Strings

lng, xrefs: 00B0BD46
lng, xrefs: 00B0BD6B

Memory Dump Source

Source File: 00000001.00000002.249187952.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID: HandleModule
String ID: lng$lng
API String ID: 4139908857-2393080935
Opcode ID: 7c6195cf286b1906779708b604ff3462270b6414eebaec4dabbbceedddd06df4
Instruction ID: 06e663c50d6ecdb4879a609f018f82ad1001ff867400f1bfb1ee6f3f6e2723e4
Opcode Fuzzy Hash: 7c6195cf286b1906779708b604ff3462270b6414eebaec4dabbbceedddd06df4
Instruction Fuzzy Hash: AB711370A00B058FDB24DF2AD151B5ABBF1FF88304F008A6DE54ADBB80DB75E8458B91

Uniqueness

Uniqueness Score: -1.00%

Function 070A85B8, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070A87EE

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d1f6cab26a77e6f2a3eb32e7824983ee79d231bf1114562f8871acb1854ee0b6
Instruction ID: 8ce0210a6fb0299b453af6dd1f926028d140cba0d652d754254889792b9e4505
Opcode Fuzzy Hash: d1f6cab26a77e6f2a3eb32e7824983ee79d231bf1114562f8871acb1854ee0b6
Instruction Fuzzy Hash: 3E917CB1D00219DFEF51DFA4C8407DEBBB2BF48314F1486A9E808A7280DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B0B214, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B0DD8A

Memory Dump Source

Source File: 00000001.00000002.249187952.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: db8102c6d5df2ba2f18f0cd1bdc9981d3e17d3989c9fed4edcee1619978c0669
Instruction ID: dde71cfb0cf27d92e6956dbc3016d5a214cf0f0372cf8c4a315525ed9314a240
Opcode Fuzzy Hash: db8102c6d5df2ba2f18f0cd1bdc9981d3e17d3989c9fed4edcee1619978c0669
Instruction Fuzzy Hash: 9351BFB1D002099FDB14DF99C884ADEBFF5FF48314F64826AE819AB250D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B0DC6D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B0DD8A

Memory Dump Source

Source File: 00000001.00000002.249187952.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e1974f2c15afa090f074917015755f9891b16aa7eea351072ecf825a29dde011
Instruction ID: 484dbe9976b863c07d10cb340b8d78c155fdce2d54edac03f11ea01f12199591
Opcode Fuzzy Hash: e1974f2c15afa090f074917015755f9891b16aa7eea351072ecf825a29dde011
Instruction Fuzzy Hash: F651B0B1D003499FDB14CFA9C884ADEBFB1FF48314F24826AE819AB250D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B06D41, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B06D7E,?,?,?,?,?), ref: 00B06E3F

Memory Dump Source

Source File: 00000001.00000002.249187952.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e2267006d012794ba44a270d65a0c0006bffdbff8efcda3b79a4361b6271865e
Instruction ID: 0d3ccb6a4cd0305ebb996d7d54d949934bd9c50c6e9118153918b58fba2099c5
Opcode Fuzzy Hash: e2267006d012794ba44a270d65a0c0006bffdbff8efcda3b79a4361b6271865e
Instruction Fuzzy Hash: 83416876A002599FCF01CF99D884ADEBFF5EB89320F04806AF914A7361C735A955DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 070A8330, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070A83C0

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: bd7c20da6606a59667b845ad5c8132ca41312d3eeb501b87b2eb8bdb03fb776c
Instruction ID: c84e5c6eb3af67b422884a87f3588c00011392f78337cea81875c7a043494e9f
Opcode Fuzzy Hash: bd7c20da6606a59667b845ad5c8132ca41312d3eeb501b87b2eb8bdb03fb776c
Instruction Fuzzy Hash: 4221F6B19003599FCF10DFA9C884BDEBBF5FF48314F548829E919A7240D778A954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 070A7C8A, Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 070A7D42

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ab80e20cefe74ba43d1c9a8572f80473ebb0f45684683dd12b305e8156021dc9
Instruction ID: 2087ad77bd372c4b38f74a0be0c01a40bc77fe7e49825b7848f06ecda83200a3
Opcode Fuzzy Hash: ab80e20cefe74ba43d1c9a8572f80473ebb0f45684683dd12b305e8156021dc9
Instruction Fuzzy Hash: CE2136B0D042099FCB10DFA9D8447EEBBF1AF88218F24896ED519A7340DB745945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B06DB0, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B06D7E,?,?,?,?,?), ref: 00B06E3F

Memory Dump Source

Source File: 00000001.00000002.249187952.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 89f54102cac63400d52cbc14efe09841d18d58cc8e5916bf90315b415a9a0589
Instruction ID: b194a5b89a5a071c714e306d81c3153c7f41cf80eab4833f72491e0804e7211d
Opcode Fuzzy Hash: 89f54102cac63400d52cbc14efe09841d18d58cc8e5916bf90315b415a9a0589
Instruction Fuzzy Hash: 7821E3B59012089FDB10CFA9D884ADEFFF4EF48324F14805AE918A7350D378A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B041E4, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B06D7E,?,?,?,?,?), ref: 00B06E3F

Memory Dump Source

Source File: 00000001.00000002.249187952.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 206fd3f8332c0dfb2ed4ec3a021886ee7c7545e95393922e74f6ff5b50ac152f
Instruction ID: 2b1fe56439aba74d414a327a49389eb77577930ac97d76bb43ac1ed365defd8f
Opcode Fuzzy Hash: 206fd3f8332c0dfb2ed4ec3a021886ee7c7545e95393922e74f6ff5b50ac152f
Instruction Fuzzy Hash: 8021D2B59002489FDB10CFA9D884AEEBBF8EB48324F14805AE914B7350D374A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 070A8198, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 070A8216

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 7a52660be5aa2e8a3c77567e20b9d7f7365ef1e37d483be2ad8f9e08c5011243
Instruction ID: a0ce8fbb2a5be7986a49e2bd6735069ace0e06192252975ee35be437eeea944e
Opcode Fuzzy Hash: 7a52660be5aa2e8a3c77567e20b9d7f7365ef1e37d483be2ad8f9e08c5011243
Instruction Fuzzy Hash: 2F2118B19002099FCB10DFAAC4847EEBBF4EF48264F54842AD519A7340DB78A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 070A8420, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070A84A0

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 055d778f7fbe1f1ee1415c0d12ddc3903a0efb9754bea0981f212d024fe8d61e
Instruction ID: cef06f3626cda196a01f1f62c858325f83fbc14624ec3488db35bb2458f7a78f
Opcode Fuzzy Hash: 055d778f7fbe1f1ee1415c0d12ddc3903a0efb9754bea0981f212d024fe8d61e
Instruction Fuzzy Hash: FC2128B19002599FCF10DFAAC884BDEFBF5FF48324F548429E918A7240C7789954DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 070A3911, Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 070A398B

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: fac43f0c8ba45bfe5112f7e2ad4da16ad700264c11c668769edeeee4c965fb16
Instruction ID: 96a0bc44e97626a50bf9423a5d972b011174a2f00561d0b056d419eaac82a38f
Opcode Fuzzy Hash: fac43f0c8ba45bfe5112f7e2ad4da16ad700264c11c668769edeeee4c965fb16
Instruction Fuzzy Hash: A12106B19002099FCB10DF9AC884BDEFBF4FB48324F148429E458A7640D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B0B0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B0BE89,00000800,00000000,00000000), ref: 00B0C09A

Memory Dump Source

Source File: 00000001.00000002.249187952.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 97af11e2e66d87634161d8d892e861c9a393ee6a36ca224e291b415f070507ee
Instruction ID: 884c2900af75c45aa4a7a2f578f329821abd04399e90b2b0e40f729facf4b895
Opcode Fuzzy Hash: 97af11e2e66d87634161d8d892e861c9a393ee6a36ca224e291b415f070507ee
Instruction Fuzzy Hash: 811103B2900208CFDB20DFAAD444B9EFFF4EB48364F14856AE919B7240D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 070A3918, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 070A398B

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 765d1d76008310d4f176ae266af9222ea4919921e0bc1597e9ca52ce59b4093c
Instruction ID: 33aca74ee75c50fd3d779119a04e9d9279191c9e12603a1a404cb9bbb57c64f4
Opcode Fuzzy Hash: 765d1d76008310d4f176ae266af9222ea4919921e0bc1597e9ca52ce59b4093c
Instruction Fuzzy Hash: 1221E4B19002099FCB10DF9AC884BDEFBF4FF48324F148429E958A7240D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B0BE89,00000800,00000000,00000000), ref: 00B0C09A

Memory Dump Source

Source File: 00000001.00000002.249187952.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5a2e06f91cc91492b8727a02095fdd0fdeb5f173726e0c17d7a57b09fd0587b1
Instruction ID: 4d1677edd454baa7c9a348121e5a86624ab261ea38d7f06483cfae81c95c911e
Opcode Fuzzy Hash: 5a2e06f91cc91492b8727a02095fdd0fdeb5f173726e0c17d7a57b09fd0587b1
Instruction Fuzzy Hash: E11106B29002098FCB10DF9AD444BDEFFF4EB88324F15855AE415B7640C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 070A8270, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070A82DE

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fc5cae4f327ea3162f7a092b20fea37a27918bb1aa847ed77eee32f4ce67c920
Instruction ID: 042bf94e1257818975ea3224abe8daf49b225357ce8c8b011f568d3c877d7209
Opcode Fuzzy Hash: fc5cae4f327ea3162f7a092b20fea37a27918bb1aa847ed77eee32f4ce67c920
Instruction Fuzzy Hash: 0B1146719002499FCF10DFAAC844BEFBBF5EF88324F148819E519A7250CB75A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 070A7CDA, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 070A7D42

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 513a5a2135cec5b99135b5166e4da56324415ba48ff1ddff079fc3889486059f
Instruction ID: 2b527b3afb5e46aacea033dbb1d18539aa8a0ce9c5619e2bed0c8d7d38826892
Opcode Fuzzy Hash: 513a5a2135cec5b99135b5166e4da56324415ba48ff1ddff079fc3889486059f
Instruction Fuzzy Hash: 68113AB19002499FDB20DFAAC8447EFFBF4AF88224F648819D519B7340CB75A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B0B084, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,00B0BBDB), ref: 00B0BE0E

Memory Dump Source

Source File: 00000001.00000002.249187952.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: be23d703966913cfc0e6a79d25f912a845e72b2aafef7a46c392846979634bee
Instruction ID: 782a58e08111fdcf65d00f2b00ce208f11654e53cd4c48fcb9b79d0e6da6ac04
Opcode Fuzzy Hash: be23d703966913cfc0e6a79d25f912a845e72b2aafef7a46c392846979634bee
Instruction Fuzzy Hash: 9211EFB19006498FDB20DF9AC444BDAFBF4EF88324F14856AD919B7640C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 070A7CE0, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 070A7D42

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a1d8a62f3b98f882c08552498c69b95b0bec4c2c1fbc51df134324c7a5fbca94
Instruction ID: 1232416f7ebaf161e469afe7e61aa81632434b0020c6bedb8471ac9cb7846ddc
Opcode Fuzzy Hash: a1d8a62f3b98f882c08552498c69b95b0bec4c2c1fbc51df134324c7a5fbca94
Instruction Fuzzy Hash: C9110AB19042498BCB10DFAAC4447EEFBF5AF88224F548819D519B7740CB75A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B0B24C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00B0DEA8,?,?,?,?), ref: 00B0DF1D

Memory Dump Source

Source File: 00000001.00000002.249187952.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 4cb0c0f3d2be290ec438a2790b9e6a114ea972987724d85564e871196c2148e2
Instruction ID: 0f22e4128ee0f9353fe6d1daaec03313339b7e3377074576d3689c860a1379bd
Opcode Fuzzy Hash: 4cb0c0f3d2be290ec438a2790b9e6a114ea972987724d85564e871196c2148e2
Instruction Fuzzy Hash: 8D11F2B59002099FDB20DF99D488BDEBBF8EB48324F10845AE919B7780C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 070A7DF0, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 070AD0CD

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e825479f034cfd5a8fe90840d45d46ae6cb8f8c138395ff1ab0b82e9ea189b9b
Instruction ID: 8ce266d8ed81d3c4acd879c5da62e22a799689721278c86617948ce574880ea5
Opcode Fuzzy Hash: e825479f034cfd5a8fe90840d45d46ae6cb8f8c138395ff1ab0b82e9ea189b9b
Instruction Fuzzy Hash: 8711F2B59003099FDB20DF99D888BDEBBF8EB48324F148919E915B7600C375A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B0DEB9, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00B0DEA8,?,?,?,?), ref: 00B0DF1D

Memory Dump Source

Source File: 00000001.00000002.249187952.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d98e7bd4f7ac760fb756bb7369226a7bc2a0c53cdf7e1b0abdb0732c1e70054e
Instruction ID: 08e076e9a0d3434a9837d7fed8f96a8159542fedc54525ecf380013701e49757
Opcode Fuzzy Hash: d98e7bd4f7ac760fb756bb7369226a7bc2a0c53cdf7e1b0abdb0732c1e70054e
Instruction Fuzzy Hash: C911C2B5900209CFDB20DF99D584BDEBBF8EB48324F14845AE919A7740C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 070A0688, Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

5ThZ, xrefs: 070A074C

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID: 5ThZ
API String ID: 0-2879260838
Opcode ID: 9b103f6e6ab40f2406ee995aeee4a655900abd8eca8b639264eb1e1d0f070dea
Instruction ID: 470b31659bffc98b522ccc928aeb6278989622c52be0fad7bca72ea9a1464da2
Opcode Fuzzy Hash: 9b103f6e6ab40f2406ee995aeee4a655900abd8eca8b639264eb1e1d0f070dea
Instruction Fuzzy Hash: 6921EAB1E056189BEB58CFABD8406DEFBF7AFC8200F14C17AD509A7254EB341A458F51

Uniqueness

Uniqueness Score: -1.00%

Function 070A0678, Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

5ThZ, xrefs: 070A074C

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID: 5ThZ
API String ID: 0-2879260838
Opcode ID: 543b3880ea063b0c6e2dedf60b2c1092cd774dcff82f2a208fc1e46f62787857
Instruction ID: bc42b293fc96d826a7ab1262b1be80607dcdf0435ec58b23341f6d7be57579ee
Opcode Fuzzy Hash: 543b3880ea063b0c6e2dedf60b2c1092cd774dcff82f2a208fc1e46f62787857
Instruction Fuzzy Hash: 7421DBB1E016189BEB58CFABD84079EFBF7AFC8200F14C17AD509A6254EB345A458F51

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C2B0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.249187952.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27df7c23de69f39d335b9ac2534c7fac3313ac93e6c0af3d81002b0145bffa1f
Instruction ID: 219fa756de99916a1cb69695bedeaed3fc1ef870fce3d3a8e2a3c912a11fc302
Opcode Fuzzy Hash: 27df7c23de69f39d335b9ac2534c7fac3313ac93e6c0af3d81002b0145bffa1f
Instruction Fuzzy Hash: 8E5227B150A706EFD710CF54E8981997FA1FB44338B928228D1619BAD1D3BC6DCACF44

Uniqueness

Uniqueness Score: -1.00%

Function 070AE590, Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f015fdd026410485456bd2a6ff086679b5ac6520500db459658cfb540d0d3d
Instruction ID: c7f780f889f5fe518137deea6ddeb03a740f4cc30e44db3d4dd865a052b423bc
Opcode Fuzzy Hash: 91f015fdd026410485456bd2a6ff086679b5ac6520500db459658cfb540d0d3d
Instruction Fuzzy Hash: 17D1CEB0700705AFEB65EBB6C451BAEB7E6AF88700F10856DD106DB391DB34E905CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B09998, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.249187952.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db099a918bf93c81464d0c576a7b773aaa67de5c61511fe3d077f1a0b65e9a4
Instruction ID: 8936114a1ee01c85b57329f0d4d88da6736a9ecbc448b534905121d6d3d1313f
Opcode Fuzzy Hash: 4db099a918bf93c81464d0c576a7b773aaa67de5c61511fe3d077f1a0b65e9a4
Instruction Fuzzy Hash: CBA14132E0061A8FCF15DFA5C8849DDBBF2FF85300B1585AAE905BB261EB35A955CB40

Uniqueness

Uniqueness Score: -1.00%

Function 070A52C8, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51eaba50fdbd4ab3b83686ebdff717362da7d5630914678f266c68d3016f4ca3
Instruction ID: fa705f04f0aa719fd378b12c2c60b2bd89a2899e3df1ef39278c19a511f1f648
Opcode Fuzzy Hash: 51eaba50fdbd4ab3b83686ebdff717362da7d5630914678f266c68d3016f4ca3
Instruction Fuzzy Hash: 2EB124B1E05219DFCB08CFE9C9856DEFBF2BF89300F24D626D405AB254E77499428B64

Uniqueness

Uniqueness Score: -1.00%

Function 070A52B8, Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f1bed6ebaa93ebe863902e6712979346f49bc69dae601c9e9612fb60219071f
Instruction ID: 6b431230171ce953eb09da58b2aa33b0865ed0a0e0f9002408f1405e534241ff
Opcode Fuzzy Hash: 0f1bed6ebaa93ebe863902e6712979346f49bc69dae601c9e9612fb60219071f
Instruction Fuzzy Hash: 91A134B1E05219DBCB08CFE9C9855DEFBF2BF89300F24D62AD405AB354E77499428B60

Uniqueness

Uniqueness Score: -1.00%

Function 070A577F, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b49277ee4b45bb50bdac207c77b697d8b84436375daabbb200f3d399f13da44
Instruction ID: 32c90c71146f1513b6400d572e607a29efb618b11c01570878c94bb7f01f5e01
Opcode Fuzzy Hash: 2b49277ee4b45bb50bdac207c77b697d8b84436375daabbb200f3d399f13da44
Instruction Fuzzy Hash: 496148B0E1520AABCB04CFEAC9416EEFBF2BB89310F14D525D525BB254D7349A51CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 070A5790, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9702ef28cf852a9e309f9c03b25f6c1f3bc6b50454e4f96f5f4f99e6a29377d6
Instruction ID: 5144b43cb3946e39c0091b6d78add437d21b9ad8444d9778ce3c0310bf2289d0
Opcode Fuzzy Hash: 9702ef28cf852a9e309f9c03b25f6c1f3bc6b50454e4f96f5f4f99e6a29377d6
Instruction Fuzzy Hash: 9C6127B0E1520AABCB04CFEAC9416EEFBF2BB89310F14D525D525BB254D7349A51CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 070A0278, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a86ca4b16e51dbed48f9c4e83eee01d09d83ad0b3e9e497373592cd715bf008c
Instruction ID: 8667a4a4c3fb15564250ab2ae08a6c0c70e2ac63216c24ea798752b5a2aaa9a4
Opcode Fuzzy Hash: a86ca4b16e51dbed48f9c4e83eee01d09d83ad0b3e9e497373592cd715bf008c
Instruction Fuzzy Hash: 1471E1B4E152099FCB44CFEAC5809DEFBF2FF89210F24952AD415BB314E3309A018B65

Uniqueness

Uniqueness Score: -1.00%

Function 070A026A, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356b9ca29c523bea3461b4826ac1fa9eed7b2ccaa22a811a0f7544b29985fdb0
Instruction ID: cebbfa66a247963b122b475b9c92e3d6676c3065a609b60df3523acb5a9849c1
Opcode Fuzzy Hash: 356b9ca29c523bea3461b4826ac1fa9eed7b2ccaa22a811a0f7544b29985fdb0
Instruction Fuzzy Hash: AB61F0B4E152099FCB44CFE9C9809DEFBF2FF89210F24952AD415BB324E3349A418B65

Uniqueness

Uniqueness Score: -1.00%

Function 070A1198, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ce818a317e082383226ead7d4b0f41a5da79afb34ee78a4a01377e0c7981a3
Instruction ID: 3984d5ee0457cdc3d515b1b221df1e7ad2aa3d8a65bde49198331f60a898a21e
Opcode Fuzzy Hash: 71ce818a317e082383226ead7d4b0f41a5da79afb34ee78a4a01377e0c7981a3
Instruction Fuzzy Hash: D9514C71E016188BDB68CF6B8D4479EFBF3AFC8200F14C1BA950CA6214EB301A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 070A0040, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf35d22ed84ba351b516572e8e71b3a247c5e062d9954013fe4cb8eca5dfe2d
Instruction ID: 3e9144f0d8d027029a54e8457b8a76872f1a25ca5cc87154ae7b1014cea5d6a0
Opcode Fuzzy Hash: caf35d22ed84ba351b516572e8e71b3a247c5e062d9954013fe4cb8eca5dfe2d
Instruction Fuzzy Hash: BA41D6B0D0420A9BCB44CFAAC5819AEFBF2BF88200F24D52AC515E7254E7349641CF94

Uniqueness

Uniqueness Score: -1.00%

Function 070A1185, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65cf84adb9cc01c5ef824a38d2e647f816cd75eeb0b9dc7e726bf7f24789aaa
Instruction ID: 01535f0945c021d615d74312e6bcc90973bef16199d7fe6626eddfedb4319fe2
Opcode Fuzzy Hash: a65cf84adb9cc01c5ef824a38d2e647f816cd75eeb0b9dc7e726bf7f24789aaa
Instruction Fuzzy Hash: DF513CB1E016188BEB58DF6BCD4579EFBF3AFC8200F14C1BA950DA6254EB341A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 070A6078, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc2dbdc0d3523032f97d5ac629d774c5da41f7b10afd5eaab45072538a182204
Instruction ID: efb373cdd5578d1ac50fa62460e3aa4be3a4d0d18966f203584b226192b03cb1
Opcode Fuzzy Hash: dc2dbdc0d3523032f97d5ac629d774c5da41f7b10afd5eaab45072538a182204
Instruction Fuzzy Hash: 2E31B471E052999FDB09CFBAA8515EEFFF6AF86210F18C06BC484A7216D7304552CB51

Uniqueness

Uniqueness Score: -1.00%

Function 070A4388, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a89fa19791dbbe25388efef31e1201f904d1cea57be24e291e9599b32cff05f
Instruction ID: d3565b0274195e00914c9d844ecd9c15f6ce6f5d86f1c04764247aaefa575f51
Opcode Fuzzy Hash: 1a89fa19791dbbe25388efef31e1201f904d1cea57be24e291e9599b32cff05f
Instruction Fuzzy Hash: 45315BB4E11659DBDB18CFAAD940AEEFBF2ABC9200F14C26AD518B7204D7741A018F50

Uniqueness

Uniqueness Score: -1.00%

Function 070A498D, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebad850cf7e3dc90ab4c5132d7c37c09cb8c3107eccb527f3105443eba12fce1
Instruction ID: bbf533bcc1afda68050d27357fdd7b06259d13ea846627db6cb44fead11b188e
Opcode Fuzzy Hash: ebad850cf7e3dc90ab4c5132d7c37c09cb8c3107eccb527f3105443eba12fce1
Instruction Fuzzy Hash: 51218370D056899FDB09CF6AD8416DAFFF7AFCA300F18D0AAD588A7252DB300946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 070A60C8, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260281216.00000000070A0000.00000040.00000001.sdmp, Offset: 070A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab28e076ca5227d3211b241084ac4634571b46f1f9ca02dcb3008a9952b10b3f
Instruction ID: 984f92814ca81fd015ea83a0ea329a763a03a53253d49f110a1523f09074ede6
Opcode Fuzzy Hash: ab28e076ca5227d3211b241084ac4634571b46f1f9ca02dcb3008a9952b10b3f
Instruction Fuzzy Hash: F521F771E116199BDB08CFABD94069EFBF7EBC8210F18C13AD518A7214DB345A418B61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 9644a199_by_Libranalysis.exe PID: 6192 Parent PID: 5876 9644a199_by_Libranalysis.exeCOMMON

Executed Functions

Function 0601CF68, Relevance: 8.5, APIs: 5, Instructions: 955libraryCOMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32 ref: 0601CF68
LdrInitializeThunk.NTDLL ref: 0601D1A7
KiUserExceptionDispatcher.NTDLL ref: 0601D5C5
KiUserExceptionDispatcher.NTDLL ref: 0601D71E

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InfoInitializeMonitorThunk
String ID:
API String ID: 4239697209-0
Opcode ID: 5b1431fe71d77556a5e15267f14b323ecc87f105315ec7705225df7c59961928
Instruction ID: 8089e12aeb9962d925ea20fc751a88dc71eced22519283765cd5d426e3b6a700
Opcode Fuzzy Hash: 5b1431fe71d77556a5e15267f14b323ecc87f105315ec7705225df7c59961928
Instruction Fuzzy Hash: 5EA20374A04228CFCB64EF30D9A869DBBB6BF48305F1080EAD54AA7344DB359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 06015A94, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 0601B643

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 532fd658369a853a0cd431dc92383efb58f2d1b473d808eddba765b6af04134c
Instruction ID: 83deb1e2a83d6d08cf0142cd3822b3e1db1ef3528924a16596b1bd50a942ce1f
Opcode Fuzzy Hash: 532fd658369a853a0cd431dc92383efb58f2d1b473d808eddba765b6af04134c
Instruction Fuzzy Hash: BA51F270E002188FDB58DFA9C884BDDBBF5BF48314F158529E815BB391DB78A844CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0142691F, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 014269A0
GetCurrentThread.KERNEL32 ref: 014269DD
GetCurrentProcess.KERNEL32 ref: 01426A1A
GetCurrentThreadId.KERNEL32 ref: 01426A73

Strings

l, xrefs: 01426922

Memory Dump Source

Source File: 00000006.00000002.489305341.0000000001420000.00000040.00000001.sdmp, Offset: 01420000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID: l
API String ID: 2063062207-2517025534
Opcode ID: 581b77bf4471f1300761e2bd3e56c33c701d8385af0e9c3b6aa2912519163baa
Instruction ID: b1516c25e63377d21579d34e22f05080572d1575d483c3b303c5245ae1a3adc6
Opcode Fuzzy Hash: 581b77bf4471f1300761e2bd3e56c33c701d8385af0e9c3b6aa2912519163baa
Instruction Fuzzy Hash: C95166B09006498FDB14DFAAD989BDEBFF0EF48304F24845AE449A73A0DB745984CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0601CF89, Relevance: 6.6, APIs: 4, Instructions: 631libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0601D1A7
KiUserExceptionDispatcher.NTDLL ref: 0601D5C5
KiUserExceptionDispatcher.NTDLL ref: 0601D71E

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 15b2c06856a3d199466e96dc364ebc2d71a0df25f930df8e4ed881d1d42d19ee
Instruction ID: 4b77bc01ccf87d18079670122649d2591609170c4f7d49884a6a35be9a0acd35
Opcode Fuzzy Hash: 15b2c06856a3d199466e96dc364ebc2d71a0df25f930df8e4ed881d1d42d19ee
Instruction Fuzzy Hash: 16522670A04228CFCB64DF30D9A869DBBB6BF49345F1080EAD54AA7344DB399E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0601CFCE, Relevance: 6.6, APIs: 4, Instructions: 624libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0601D1A7
KiUserExceptionDispatcher.NTDLL ref: 0601D5C5
KiUserExceptionDispatcher.NTDLL ref: 0601D71E

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 732cd752b9a2b759d18f4eda12471b86c32342ac0e845521cb58ddb7b4a4cc3e
Instruction ID: 6c785e349ebe34aadc2ce51dd6097b90aa98e195d65abee58f6f62c30407eb83
Opcode Fuzzy Hash: 732cd752b9a2b759d18f4eda12471b86c32342ac0e845521cb58ddb7b4a4cc3e
Instruction Fuzzy Hash: 59522570A04228CFCB64DF30D9A869DBBB6BF49345F1080EAD54AA7344DB399E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01426940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 014269A0
GetCurrentThread.KERNEL32 ref: 014269DD
GetCurrentProcess.KERNEL32 ref: 01426A1A
GetCurrentThreadId.KERNEL32 ref: 01426A73

Memory Dump Source

Source File: 00000006.00000002.489305341.0000000001420000.00000040.00000001.sdmp, Offset: 01420000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2a79000efcff51edac315540962186869bb58d0a34f5f6c01b0df76c8638f0c1
Instruction ID: b5e9b197ba3605c12e8c53eace3254468e5587ecd477d10b18cc4eb86d6eb516
Opcode Fuzzy Hash: 2a79000efcff51edac315540962186869bb58d0a34f5f6c01b0df76c8638f0c1
Instruction Fuzzy Hash: AF5154B0A006498FDB14DFAAD548BDEBBF0FF88314F20845AE409A73A0CB745884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0601D62B, Relevance: 3.4, APIs: 2, Instructions: 405COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0601D71E
KiUserExceptionDispatcher.NTDLL ref: 0601E04E

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 94af47b49b1bf5899abefa76c602f180ba6dd24be6b51c7ef11aeeb143f86adc
Instruction ID: 5ee169c224889abc3f7305dfec0b303c7e6efefab18b523dde1384164f01fcdc
Opcode Fuzzy Hash: 94af47b49b1bf5899abefa76c602f180ba6dd24be6b51c7ef11aeeb143f86adc
Instruction Fuzzy Hash: F11226B4904228CFCB64DF30D9A469DBBB2BF49345F1080EAD60AA7740DB399E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0601D670, Relevance: 3.4, APIs: 2, Instructions: 398COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0601D71E
KiUserExceptionDispatcher.NTDLL ref: 0601E04E

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 45c3bfafe90e380655d54cadb8c1822ea50084bb1821ec90328b514a1a79ca33
Instruction ID: 7dab333ab300a511003069b8d6806cfa4c1d93165e651cf0248db52754ce9223
Opcode Fuzzy Hash: 45c3bfafe90e380655d54cadb8c1822ea50084bb1821ec90328b514a1a79ca33
Instruction Fuzzy Hash: F91225B4904228CFCB64DF30D9A469DBBB2BF49245F1080EAD60AA7740DF399E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0601D6B5, Relevance: 3.4, APIs: 2, Instructions: 391COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0601D71E
KiUserExceptionDispatcher.NTDLL ref: 0601E04E

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 50eb66b251737b2caf2e20a50cc3accdb74a3009d55271a376cfaa139365cbb2
Instruction ID: cfb7ef06dbf7eadb7eff4bdaa7803957b797dd3754a0df841f928192f8e3dfe9
Opcode Fuzzy Hash: 50eb66b251737b2caf2e20a50cc3accdb74a3009d55271a376cfaa139365cbb2
Instruction Fuzzy Hash: 501225B4904228CFCB64DF30D9A469DBBB2BF49245F1080EAD60AA7740DF399E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0601D6FA, Relevance: 3.4, APIs: 2, Instructions: 384COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0601D71E
KiUserExceptionDispatcher.NTDLL ref: 0601E04E

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 336cfa4a1145cba794f71de152feae932bda516c965a5fd4af9eec58edd8868d
Instruction ID: 5e4980d903c431417fa21a1110bf23b1464785c869acb1253ce075c67339e471
Opcode Fuzzy Hash: 336cfa4a1145cba794f71de152feae932bda516c965a5fd4af9eec58edd8868d
Instruction Fuzzy Hash: AF0215B4904228CFCB64DF30D9A469DBBB2BF49345F1080EAD60AA7740DB399E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0601C538, Relevance: 2.1, APIs: 1, Instructions: 554windowCOMMON

Download Yara Rule

APIs

LookupIconIdFromDirectoryEx.USER32 ref: 0601CF11

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DirectoryFromIconLookup
String ID:
API String ID: 4122609882-0
Opcode ID: 54a9488f1f419982925ec8ea2648207205608bceaef3f41a23709416a613d6d4
Instruction ID: fa61960fe9b7eb6df079adfd3cd2e1959473b63234363c524a654802033f3ab0
Opcode Fuzzy Hash: 54a9488f1f419982925ec8ea2648207205608bceaef3f41a23709416a613d6d4
Instruction Fuzzy Hash: 19427974A012298FCB24EF64D8987AD7BB6FB88301F5041E9E90AA7344DF356E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0601FB10, Relevance: 1.9, APIs: 1, Instructions: 428COMMON

Download Yara Rule

APIs

EnumDisplaySettingsA.USER32(00000001,?,00000000,00000000,?,00000000), ref: 0601FD05

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DisplayEnumSettings
String ID:
API String ID: 3434046153-0
Opcode ID: 4920736fe24b7a81af6e1dbbdf0a62c34ec9e4a276e454d11624e08e25677148
Instruction ID: 0fb2dcd60ec8381e2cffd6c6a9638f9c26f59ca53eb1db55c8ca5c4b21afbad0
Opcode Fuzzy Hash: 4920736fe24b7a81af6e1dbbdf0a62c34ec9e4a276e454d11624e08e25677148
Instruction Fuzzy Hash: 93C13B34F5020A8FDB54DBA8D4997ADBBF2EF89310F148529E906EF390DA70DC458B91

Uniqueness

Uniqueness Score: -1.00%

Function 0601D73F, Relevance: 1.9, APIs: 1, Instructions: 377COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0601E04E

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a41f3e5ca98fbcd2d497ee82facff29fd3d2b924a2d57fd58d32e545255e290e
Instruction ID: 63c64bb600b9307d1761cfd3e1c054060211f0f3f0bc38881e2e2b379b83acff
Opcode Fuzzy Hash: a41f3e5ca98fbcd2d497ee82facff29fd3d2b924a2d57fd58d32e545255e290e
Instruction Fuzzy Hash: 3B0216B4904228CFCB64DF30D9A469DBBB2BF49345F1080EAD60AA7740DB399E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0601D784, Relevance: 1.9, APIs: 1, Instructions: 370COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0601E04E

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 82bc99fe54c42729eae90ad83ef9e87190bae8dab1f4938331338ef215616b29
Instruction ID: 473c7b27992f1b4565cd5fe4973eea3c2b9a8a15082850bc4bade1dbf9004dc1
Opcode Fuzzy Hash: 82bc99fe54c42729eae90ad83ef9e87190bae8dab1f4938331338ef215616b29
Instruction Fuzzy Hash: FA0226B4904228CFCB64DF30D9A469DBBB2BF49245F1080EAD60AA7740DF399E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0601D7C9, Relevance: 1.9, APIs: 1, Instructions: 363COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0601E04E

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3dff403ed99f81cd5539388dafcef58587fbc26b3df648d585a8a6d3f30861f3
Instruction ID: dd3b40d586c3311d128fdbdc74bc3ac70704903052029283df5054b76b18b150
Opcode Fuzzy Hash: 3dff403ed99f81cd5539388dafcef58587fbc26b3df648d585a8a6d3f30861f3
Instruction Fuzzy Hash: 1D0227B4904228CFCB64DF30D9A469DBBB2BF49245F1080EAD60AA7740DF399E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0601DE47, Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0601E04E

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e60d981d763c1e74d093fcc7674a4a8ee9ad416ce5938de1cbc15bd1f9888db5
Instruction ID: 202d5eefc02cbf1699cfaa3161b8820ae9ffcb3405048d2b76b3f8b1a91688be
Opcode Fuzzy Hash: e60d981d763c1e74d093fcc7674a4a8ee9ad416ce5938de1cbc15bd1f9888db5
Instruction Fuzzy Hash: 98814FB0A042298FCB64DB30C9987ADBBF2BF88205F5084E9D50AA7340DF399D85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0601DE8F, Relevance: 1.7, APIs: 1, Instructions: 188COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0601E04E

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b9f355a03ba2ea134fb59bc3520916f0c50486706cf46b6d1bf9df07be0aa8f1
Instruction ID: 7ba306a33c03f0c03253ba3cd6a4721cb31b3f55334416c7112a3d8c7bd86d8d
Opcode Fuzzy Hash: b9f355a03ba2ea134fb59bc3520916f0c50486706cf46b6d1bf9df07be0aa8f1
Instruction Fuzzy Hash: 5D815070A041298FCB64DB34C9987ADBBF2BF88205F5084E9D50AA7344DF399D85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0601DED7, Relevance: 1.7, APIs: 1, Instructions: 181COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0601E04E

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6e6b1be8ac6c35ccc247796f620ad84bc715e81c57316eaa643ddc7457f6d293
Instruction ID: a9adf42021e9b9694ef9be0da328015fa897ee10c72d6ca207eb716740a26c45
Opcode Fuzzy Hash: 6e6b1be8ac6c35ccc247796f620ad84bc715e81c57316eaa643ddc7457f6d293
Instruction Fuzzy Hash: 887160B0A001298FCB64DB24C9987ADBBF2BF88205F5084E9D90AA7344DF399D85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0601DF1F, Relevance: 1.7, APIs: 1, Instructions: 174COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0601E04E

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8263e88e124b714090da8695910eba51928b70a1b51b12d4f4785214709fd493
Instruction ID: 511cf8520c99f3b51a7f5e90487f9c2721f89d359b6bff035599148d0cb1f6a5
Opcode Fuzzy Hash: 8263e88e124b714090da8695910eba51928b70a1b51b12d4f4785214709fd493
Instruction Fuzzy Hash: 32717F70A002298FCB64DB20C9987ADBBF6BF88205F5084E9D94AE7344DF398D85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0601DF67, Relevance: 1.7, APIs: 1, Instructions: 167COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0601E04E

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: db3898c4663b2ab8f829e904eaa0cf924ea01aa781f07a09b2d1bc6d5d4347c1
Instruction ID: dabc01ad7a11fa51a378703e08abf86719e83cab3ff3279c593bcfb5b253b372
Opcode Fuzzy Hash: db3898c4663b2ab8f829e904eaa0cf924ea01aa781f07a09b2d1bc6d5d4347c1
Instruction Fuzzy Hash: 336171B0A002298FCB64DB24C9987ADBBF6BF88205F5084E9D50AE7344DF398D85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0601DFAF, Relevance: 1.7, APIs: 1, Instructions: 160COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0601E04E

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9249357691e1c5a40bf4f624dc9511e8d09fef03e888a6d63979de3017107ddf
Instruction ID: c0422447a5adfa5678b2d3e62f0f348f23ad1f5401831914c53325939d77ab62
Opcode Fuzzy Hash: 9249357691e1c5a40bf4f624dc9511e8d09fef03e888a6d63979de3017107ddf
Instruction Fuzzy Hash: 35618070A002298FDB64DB24C9987ADBAF6BF88205F5084E9D90AE7344DF398D85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0142500F, Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014251A2

Memory Dump Source

Source File: 00000006.00000002.489305341.0000000001420000.00000040.00000001.sdmp, Offset: 01420000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 307c57430aac7e78d28205cde0d7c7e8ec97a266658e9e1762ac2a08ec81be84
Instruction ID: d7ac33c077220d16f97fbbeeaa7b86952d3e973e02b832238834a153c588b80f
Opcode Fuzzy Hash: 307c57430aac7e78d28205cde0d7c7e8ec97a266658e9e1762ac2a08ec81be84
Instruction Fuzzy Hash: 486133B1D04349AFDF02CFA9C884ADDBFB1BF49314F69815AE808AB261D7759885CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0601DFF7, Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0601E04E

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 98fc1c5e3feba57824607362ebe9d6b63e7b5448cc118b6fb06a1422d04ed44c
Instruction ID: 0c5705285e73dbf3f35ddb029241c14b4465a8fddcefd421ba8d0a184ccb7c8f
Opcode Fuzzy Hash: 98fc1c5e3feba57824607362ebe9d6b63e7b5448cc118b6fb06a1422d04ed44c
Instruction Fuzzy Hash: 9051A070A001298FCB64EB34C9987AD7AF6BF88205F5084E9D94AE7344DF398D85CF65

Uniqueness

Uniqueness Score: -1.00%

Function 01425090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014251A2

Memory Dump Source

Source File: 00000006.00000002.489305341.0000000001420000.00000040.00000001.sdmp, Offset: 01420000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0f28f36958d0e56ac92d25fae858d28fc4cfe748dcf0904c48b2b91230177d47
Instruction ID: 2c9fa71db0a66e4cefcbaa05dbb3f92772df4997b7340122c9a8b12648494c8b
Opcode Fuzzy Hash: 0f28f36958d0e56ac92d25fae858d28fc4cfe748dcf0904c48b2b91230177d47
Instruction Fuzzy Hash: FC41CFB1D10318DFDF14CFA9C884ADEBBB5BF88314F64812AE819AB210D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0142779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 01427F11

Memory Dump Source

Source File: 00000006.00000002.489305341.0000000001420000.00000040.00000001.sdmp, Offset: 01420000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: fe885b5a34cd61914d5e952c1ca200f7840af9cf7a12a23432b96df64120809e
Instruction ID: e49bef77af0cb52c276b595d9212f22a14b0366dd89d8b7c344cf4217fd564cf
Opcode Fuzzy Hash: fe885b5a34cd61914d5e952c1ca200f7840af9cf7a12a23432b96df64120809e
Instruction Fuzzy Hash: 56415BB4900219CFCB14DF99C488BAABBF5FF98324F15C459E519AB321D774A881CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0142C199, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0142C222

Memory Dump Source

Source File: 00000006.00000002.489305341.0000000001420000.00000040.00000001.sdmp, Offset: 01420000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 9291befe73611486d5c5c98ac253a88ee57dff3532ff1543c9ccc6a01654835f
Instruction ID: 2da6f83d228e01fe030bdfedc636b03fb1cb77f9e35eb82375b6186c0b2b0901
Opcode Fuzzy Hash: 9291befe73611486d5c5c98ac253a88ee57dff3532ff1543c9ccc6a01654835f
Instruction Fuzzy Hash: 7C31BEB18053498FDB10DFA9E94939E7FF4EF06314F64805AE448A7352DB795484CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06019234, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

MoveFileExW.KERNELBASE(?,00000000,?,?), ref: 0601BDA8

Memory Dump Source

Source File: 00000006.00000002.497315872.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: ddc73ea1e45a28e414b10b83cb2114f9dbd8788e8877c40785b1b3267b4cc3dd
Instruction ID: 21c6c6864df4dd403dd6a1be814cfea58cdcec98460ed58c634455a331ec64fc
Opcode Fuzzy Hash: ddc73ea1e45a28e414b10b83cb2114f9dbd8788e8877c40785b1b3267b4cc3dd
Instruction Fuzzy Hash: 3C2124B6D012199FCB54DFA9D9846DEBBF4FF48320F14815AE808BB304D735A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01426B62, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01426BEF

Memory Dump Source

Source File: 00000006.00000002.489305341.0000000001420000.00000040.00000001.sdmp, Offset: 01420000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8cfb70dd240f2fa28fc3d3205c43727e8e866c109c88f3479c623632485fcd35
Instruction ID: deadbea1865f5929a821c01ca9b6fe399dcf384241cf4a9de9ed974ef9949a52
Opcode Fuzzy Hash: 8cfb70dd240f2fa28fc3d3205c43727e8e866c109c88f3479c623632485fcd35
Instruction Fuzzy Hash: F121E3B59012599FDB10CFA9D584AEEBBF4EB48320F15842AE914A7310D374A954CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01426B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01426BEF

Memory Dump Source

Source File: 00000006.00000002.489305341.0000000001420000.00000040.00000001.sdmp, Offset: 01420000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2dfd0e3293bb0f485961c323148a86f04bffd84b3894db61f5b840e33ac9ca89
Instruction ID: db3460eb03a83f2388a6ebc69fe30b0aef7d74bbf473285765e69d9ea10ce504
Opcode Fuzzy Hash: 2dfd0e3293bb0f485961c323148a86f04bffd84b3894db61f5b840e33ac9ca89
Instruction Fuzzy Hash: 3421F3B5D002589FDB10DFAAD984ADEBFF8FB48320F14841AE914A7310D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC7294, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,00BC84B9,00000800), ref: 00BC854A

Memory Dump Source

Source File: 00000006.00000002.485808758.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 53af17388152d0aeb31b58645af8e7285cbccba76c4780ade60f1f7a4698fe9b
Instruction ID: e8563057a9affa6c54d997fc1961314f878e089c9b15fb0ce5f8b4588de0d2ec
Opcode Fuzzy Hash: 53af17388152d0aeb31b58645af8e7285cbccba76c4780ade60f1f7a4698fe9b
Instruction Fuzzy Hash: 391106B69002098FCB10DF9AC444BDEFBF4EB98324F10845EE515A7300C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0142C1A8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0142C222

Memory Dump Source

Source File: 00000006.00000002.489305341.0000000001420000.00000040.00000001.sdmp, Offset: 01420000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 3b9d4cc0945f272284a517207abccececcd9c102dff769ddd7c98c2f7caa4a27
Instruction ID: b42e2cd4f11ee8fce68a4e0cfc796071b5ed2585227f4b4b7a18274f2ebb78e5
Opcode Fuzzy Hash: 3b9d4cc0945f272284a517207abccececcd9c102dff769ddd7c98c2f7caa4a27
Instruction Fuzzy Hash: 38118CB19003198FCB10EFA9D4487DEBFF4EB49324F60842AD408B3241CB796484CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC84D9, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,00BC84B9,00000800), ref: 00BC854A

Memory Dump Source

Source File: 00000006.00000002.485808758.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 207f6b69328f86ff585492bfd157139d382db8f46762941cd56da7d075ee333a
Instruction ID: c6e9d73a1335c278c038446043cfb03c1d33a7b8d637768089cf375d3829d925
Opcode Fuzzy Hash: 207f6b69328f86ff585492bfd157139d382db8f46762941cd56da7d075ee333a
Instruction Fuzzy Hash: 151103B69002498FCB10DFAAD444BDEFBF4EB98324F14846EE419A7200C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01423300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01424116

Memory Dump Source

Source File: 00000006.00000002.489305341.0000000001420000.00000040.00000001.sdmp, Offset: 01420000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8ac3745950d19e46d6ea550b239a1d4024c142434340b5761380eee0b5083e34
Instruction ID: f40a6fa8c4ecb7e828b0d89ac18dd1fbef126031417c6c6c36a391f5a2e83d74
Opcode Fuzzy Hash: 8ac3745950d19e46d6ea550b239a1d4024c142434340b5761380eee0b5083e34
Instruction Fuzzy Hash: 1A1123B19002598BDB10DF9AC448BDEBBF4EB49220F15842AD519B7210C378A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014240AC, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01424116

Memory Dump Source

Source File: 00000006.00000002.489305341.0000000001420000.00000040.00000001.sdmp, Offset: 01420000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9ae6ec5978b5ef38cf4f6f33796290bce26b0feeee692eb1f5ea6788737d6838
Instruction ID: ebef9d225b77d6b8b8c15bd2018add0dcaa8f03e9151b1b6723d358a42e8d850
Opcode Fuzzy Hash: 9ae6ec5978b5ef38cf4f6f33796290bce26b0feeee692eb1f5ea6788737d6838
Instruction Fuzzy Hash: 4211F0B6D002198BDB10DFAAC448BDEFBF4EF48324F25841AD429B7610C378A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCB088, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00BCBFF5

Memory Dump Source

Source File: 00000006.00000002.485808758.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c04a785a8d8c859684f3b2d2623806d2075785455346f1f2dc626007fbbf358d
Instruction ID: 4846c7b4abda0aac29bf128102aeb8b17ff4e1230cb6f647d2aec02ec2bdd646
Opcode Fuzzy Hash: c04a785a8d8c859684f3b2d2623806d2075785455346f1f2dc626007fbbf358d
Instruction Fuzzy Hash: E51115B1904248CFCB20DFAAD888BDEBBF8EB48324F108459E519B7300C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BCBF98, Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00BCBFF5

Memory Dump Source

Source File: 00000006.00000002.485808758.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 48702788da8351c9f0a28ec6beea8ee152a6753281df9d8ae6e5b895dae13cd4
Instruction ID: a6d6c48d9fdf2e59dae4fe3d2e78413db6a0d73f2118c6a3c1f97ff899188869
Opcode Fuzzy Hash: 48702788da8351c9f0a28ec6beea8ee152a6753281df9d8ae6e5b895dae13cd4
Instruction Fuzzy Hash: 671115B5904248CFCB20DFAAD484BDEBFF4AB58324F24855AE419B7700C379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01424080, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01424116

Memory Dump Source

Source File: 00000006.00000002.489305341.0000000001420000.00000040.00000001.sdmp, Offset: 01420000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 45c894901eb195dfdea0c01e5c093f95e43d28842cc8573507a99ed98c82d1a7
Instruction ID: c2a9ae6499de474acc690206cd667641978c089c0cc0fc733db1e0d7c70f8674
Opcode Fuzzy Hash: 45c894901eb195dfdea0c01e5c093f95e43d28842cc8573507a99ed98c82d1a7
Instruction Fuzzy Hash: EF116DB59047488FCB11CF99C40429ABFF0EF49314F28859BC148EB252C3399486CF66

Uniqueness

Uniqueness Score: -1.00%

Function 0107D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.487996774.000000000107D000.00000040.00000001.sdmp, Offset: 0107D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac3c24eeb83bdaf4bba4554e842b4daa5609cfebb870b7fb4072e682f112e13
Instruction ID: 9b4e24baae7db61b5dddf1ac7c6b580786e2c67952dbec2d2e4a7d10ef8aaa7e
Opcode Fuzzy Hash: bac3c24eeb83bdaf4bba4554e842b4daa5609cfebb870b7fb4072e682f112e13
Instruction Fuzzy Hash: AE2125B1904240DFCB12DF64D8C0B26BBA5FF84354F24C5ADE9894B246C336D817CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0107D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.487996774.000000000107D000.00000040.00000001.sdmp, Offset: 0107D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc18db666fa400a8283f935325700fba638367e93cc0d32ec90df0fcf8e021a
Instruction ID: eb085e27fe970e57a9204f8307de56bc2a96e96dadbe06fd5d65890e8ac44b37
Opcode Fuzzy Hash: 7bc18db666fa400a8283f935325700fba638367e93cc0d32ec90df0fcf8e021a
Instruction Fuzzy Hash: CD2192755093808FCB13CF64D990715BFB1EF46214F28C5DAD8898B657C33A980ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 9644a199_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre